Do not copy remediation functions each time they are used in a script

[jan-cerny]

If a fix script from XCCDF is generated and the fixes use some global functions, the copy of the function is placed into the result each time it is used. If we generate a fix from some big benchmark, it makes the script big and hard to read. For example:

$ oscap xccdf generate fix --profile  stig-rhel7-server-upstream ssg-rhel7-xccdf.xml > fix.sh
$ grep "function replace_or_append" fix.sh | wc -l
40

I think we don't need 40 copies of the same code in a single script 😀

[jan-cerny]

@kjankov @mpreisler I think this can be beneficial together with the latest improvements in the remediation scripts.

[mpreisler]

@jan-cerny the only way to fix this is to get into the business of parsing bash code :-) Isn't this more of a content issue than scanner? Why was it opened against openscap?

[jan-cerny]

@mpreisler I don't think we need to parse bash code to solve this problem. I also think the content in SCAP Security Guide is great. The remediation functions are there only once in the XCCDF. They are in remediation_functions Group element, Each function is an XCCDF Value element. For example <Value id="function_package_install" >. The functions are substituted in remediations using sub element.

I think it could be possible to somehow detect the remediation functions when we run oscap xccdf generate guide to have them only once in the output.

[mpreisler]

I think it could be possible to somehow detect the remediation functions when we run oscap xccdf generate guide to have them only once in the output.

I assume you mean generate fix, and yeah, that is possible but to have this work in the generic case you have to parse bash code, not all of it but you have to be able to pair brackets and all that. You can't do this using regex because it's not context-free...

[jan-cerny]

The point was not to solve it in a generic way but in a way that would reduce the most frequent duplicates.

I agree that it is easy to survive without that.